Bangeter 03-persistence_techniques_v40.pdf
Bangeter 03-persistence_techniques_v40.pdf
Bangeter 03-persistence_techniques_v40.pdf
Fichier Détails
| Cartes-fiches | 15 |
|---|---|
| Langue | English |
| Catégorie | Informatique |
| Niveau | Université |
| Crée / Actualisé | 19.06.2019 / 01.07.2021 |
| Lien de web |
https://card2brain.ch/box/20190619_bangeter_03persistencetechniquesv40_pdf
|
| Intégrer |
<iframe src="https://card2brain.ch/box/20190619_bangeter_03persistencetechniquesv40_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why does most malware have persistance mechanisms?
Perisitence mechanisms allow malware to survive a reboat.
The goal of persistence is to launch malware during boot, logon, etc...
Describe the persistence two mechanism of Patching?
Binary patching used to be called "virus"
Trojanized system binaries: add malicious code to executables or DLLs that are part of the OS, and which thus get loaded on system startup.
MBR patching: allows malware to start very early in the boot process, before anu security mechanism get loaded. (master boot record is modified to load malware) [new secure boot mechanisms allow BIOS to verify signature of boot loader]
How can you detect binary patching?
- check hash of flies on system against DB of known good binaries
- Check signature of files
Sigcheck form sys internals is a tool to perform signature checks can also be used to perfome a Virustotal lookup for unknown files.
Name 3 differnt mechanisms that can be abused in an OS in order to autostart malware.
These can be modified.
- Logon items for users (e.g. Dropbox, Skype...)
- Services
- Scheduled tasks
What does the volatility command hivelist do?
hivelist: locates the virtual addresses of registry hives in memory and the full paths to the corresponding hive on disk.
What interesting information in regards to malware can be extracted from the registry?
- Autostart / malware persistence
- Data stored by malware in registry
- Partial information on programs executed and the files accessed
- Encrypted / obfuscated malware payloads
Aditional infromation
- user related information
- Hardware configs
- Credentials / passwords
What tool can be used for inspection autostart mechanisms on a live system?
Autoruns: this is a tool for inspecting autostart mechanisms on a live system
- Autoruns is a kind of refernce of Windows autostart mechanisms
- Unfortunately, autoruns does not work on memory images
What volatility command allows you to inspect subkeys?
printkey -K "key"
Displayes the subkeys, values, data and data types contained within a specified registry key.
What are windows services and name some examples of their functioins.
Windows services are processes that are running independently of user logons etc.
They provide system functions for:
- System updates
- Printing
- Windows security
- Anti-Virus
- Etc...
Name two ways in which services can be abused by malware.
Services can be abused by malware in the following ways:
- As persistance and launching mechanism, i.e. to get a malware process started or malware driver loaded into the kernel.
- Services can be switched of to prevent security mechanisms from starting / updating such as AV and system updates.
- Services can be manipulated and hidden by malware
- E.g. by unlinking services from kernel lists
Name 3 different types of services.
- Kernel drivers
- Standalone processes
- Shared services (where multiple services run in a single process.
- Example: svchost.exe the shared services are loaded as DLLs into the svchost.exe process.
Name some tools that can be used to do live analysis of services.
- sc query [command shell]
- psservice.exe [command shell, Sysinternals]
- Process Hacker
- Process Explorer
- Services.msc
what does the volatility command svcscan do?
svscan: scans services and walks the linked lis of services (within SCM / services.exe)
- Detects some unlinked / hidden services
- svccan allow us to identify services as such and reveals service specific information
What techniques can a rootkit use to hide services?
Unlinking a service from the service list
- much like process and DLL unlinkin
- Tricks live tools
- Can still be found using svcscan
Malware can avoid SCM altogether, and use alternative techniques for launcing services
- No traces left in svcscan
- Additional traces are left in Windows event log and the registry
- Som of these can be tricked
Question about stuxnet
tbd.
